|
| From: | Schanzenbach, Martin |
| Subject: | Re: RFC 9498: The GNU Name System |
| Date: | Tue, 21 Nov 2023 20:10:30 +0100 |
| User-agent: | Mozilla Thunderbird |
Hi, On 21.11.23 18:55, Maxime Devos wrote:
Op 21-11-2023 om 08:34 schreef Schanzenbach, Martin:We are happy to announce that our *The GNU Name System* (GNS) specification is now published as RFC 9498 [0].in order to transparently enable this functionality for migration purposes, a local GNS-aware SOCKS5 proxy [RFC1928] can be configured to resolve domain namesAre you sure this is transparent? Consider the case where a website has a log-in system, and instead of being based on passwords, it is based on TLS client certificates (for example, https://ci.guix.gnu.org/ has such a system to decide who is allowed to adjust ‘specifications’ and ‘restart builds’).Given that the SOCKS5 proxy is technically a MITM attack, and the client certificates instead of only server certificates, I would expect (and hope) that the SOCKS5 proxy can't convince the server that it is the client.
obviously, TLS client authentication does not work in this case and this migration path, unless the proxy itself does it. I do not see a problem with the proxy doing it. It just somehow needs to have access to your client certs.
Out implementation does not support this kind of flow atm. BR
It's a somewhat niche use case, so mostly transparent, sure. But transparent, without qualifiers, I don't think so. Best regards, Maxime Devos
| [Prev in Thread] | Current Thread | [Next in Thread] |